Hi ,
we are running 6 node cluster with 3 master and 3 data node
in each node we are using letsencrypt certificate as below which expires every 3 month
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/letsencrypt/elk.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/letsencrypt/elk.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/letsencrypt/isrgrootx1.pem" ]
from clients like fluent bit that connect with Elasticsearch cluster we disabled the certificate validation and it worked well
From Elasticsearch cluster operation point of view , can we keep the cluster up and running with expired certificate ?
Any risk keeping the expired certificates , considering its a production cluster , on the typical operations of the cluster
The communication between nodes use the xpack.security.transport.* settings, are you generating these certificates with Letsencrypt as well?
If I'm not wrong, the node will continue to run with expired certificate, but if a node has any issue and leaves the cluster, it will not be able to rejoin, which can impact in the availability of the cluster.
Thanks @leandrojmp for the reply , These certificates xpack.security.transport.* are not using LetEncrypt and its valid for next 3 years ,
My query is only related to xpack.security.http.* certificate , if i can let this certificate expires , will it impact cluster or its operation in future , like restart or node expansion like adding new nodes , removing other nodes or any other cluster operation
The xpack.security.http.* is used by Clients, not nodes, the nodes communicate using the xpack.security.transport.* setting, so I don't think it will impact operations for the nodes.
It will impact Kibana however, because Kibana is a client.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.